Possible Virus in Regestry

[Confused Computer User]

Hy everyone,

Hopefully this is not what I think i is but that's why I'm here asking for help (again)

I update SAS and downloaded the latest Database (the same for Avast, MBAM and IObit 360)
Now I ran a scan with SAS and it found two Trojans in the Registry. I ran MBAM and IObit (full scan for both) and found nothing. I'm currently running  a thorough scan with avast which is at 75% with no detection so far. I'm thinking that it may be a false positive but I want to make sure it is the case.

Since this is the registry I am RELUCTANT (not meant as a yell but an emphasis) to send the files/keys to the chest as this may prevent the computer from running or stating up.  

Is there a way to verify SAS's results without deleting/sending the files to the chest.

I'm not good with registry and it falls in the same realm as .dll files... (it's Pandora's box which I wouldn't touch with a wireless mouse).

Any suggestions?

[polonus]

Hi Confused Computer User,

HKU\S-1-5-21-3957849015-831085324-2472952435-1000\SOFTWARE\MICROSOFT etc
S-1-5-21 Security Identifier

This represents a user that does not exist in your windows installation. It
could represent a user on a different installation of Windows. This can be
expected if the file was created in another Windows installation.

Do you know where the permission originates at? What I mean is, you see this
permission on a folder. Go up to the parent folder, and check to see if it
is there as well, and keep doing that until you either find a folder that
doesn't have that permission or you hit your hard drive.

Once you find out where the permission originates at, you should be able to
remove it from that location's permission list by going to the security tab,
clicking the edit button, clicking the permission, and clicking remove,

polonus

[DavidR]

You can't have a physical virus in the registry as it doesn't store files. It has run commands, etc. which are used to run files. If there is no file in the location then the registry entry is effectively inert.

Unfortunately you haven't given us enough information, as your image doesn't show the full details of the registry entry, e.g. no file name, etc.

Also you aren't sending files to the quarantine, but the registry entry.

So you need to copy the full details of the registry key and post them, then we might be able to see the rabbit.

Unfortunately I don't see where polonus came up with what isn't in your post or image, so that is speculation and not confirmed, as there are literally 42 sub-keys that this could relate to the first part of the info in the image HKEY_USERS\S-1-5-21-3126928747-2492246226-67290611-1004\Software\Microsoft\... The bold bit is unique and could change from system to system.

So we really need the full text of the entry or we are just speculating.

[polonus]

Hi DavidR,

This is a security identifier for an account in the REGISTRY, so far I am convinced I am right for S-1-5-21 stands for that:  I am also asking for the file that connects to this registry entries that was flagged, it could be part of malcode as well. But like you going on data in a picture is just stumbling around in the dark somewhat, because I have no connections to the real culprit of it,

polonus

[Confused Computer User]

Oh thanks both for the quick reply.

the entries are:

HKU\S-1-5-21-3957849015-831085324-2472952435-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN#L07AXLRD_98547594

HKU\S-1-5-21-3957849015-831085324-2472952435-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN#L07AXLRD_33073756

The Avast scan is done and no suspicious files were found.

Hi DavidR,

This is a security identifier for an account in the REGISTRY, so far I am convinced I am right for S-1-5-21 stands for that:  I am also asking for the file that connects to this registry entries that was flagged, it could be part of malcode as well. But like you going on data in a picture is just stumbling around in the dark somewhat, because I have no connections to the real culprit of it,

polonus

How do I find that file Polonus.... Again registry is like hieroglyphs to me so please allow me to take this one step at a time. 

[polonus]

Hi Confused Computer User,

I have been fumbling into your online history and found it I assume, and it shows the Internet never looses one little digital bit,

Because, my dear friend, you posted about this before here:
http://forum.avast.com/index.php?topic=44088.0;wap2
Go to UN#L07AXLRD_98547594 in that posting and you have the bastard,
come up with a fresh HJT log file where we can see what is L07AXLRD_98547594 in Microsoft Student
or another Program File...

O4 - HKUS\S-1-5-21-3957849015-831085324-2472952435-1001\..\Run: [L07AXLRD_672395] "C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2007 DVD\EDICT.EXE" -m (User 'Bobby')
O4 - HKUS\S-1-5-21-3957849015-831085324-2472952435-1001\..\Run: [L07AXLRD_33073756] "C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2007 DVD\EDICT.EXE" -m (User 'Bobby')

And that user is Bobby whoever that is, was the owner of that specific Security Id - fire the executables for  L07AXLRD_98547594 up to virustotals and give the results, to see if these are genuine and not a FP, then we know what it is and can start discussing, one thing is sure the malcode came with a bittorrent download - all that is free comes with a prize alas these are the facts...

polonus

[essexboy]

You can't have a physical virus in the registry as it doesn't store files. It has run commands, etc. which are used to run files. If there is no file in the location then the registry entry is effectively inert.

What David says, a registry entry without a file is just so much garbage - you may get an error message when you start windows in that user but deletion of the key is not a problem

[Confused Computer User]

Thanks Polonus.

The result is 0/39 so I'm now certain it's a FP.

Man Never thought you could use HJT to track the culprit. Kind of creepy how fast you found that.  

So how should I proceed?

Thank you again.

You can't have a physical virus in the registry as it doesn't store files. It has run commands, etc. which are used to run files. If there is no file in the location then the registry entry is effectively inert.

What David says, a registry entry without a file is just so much garbage - you may get an error message when you start windows in that user but deletion of the key is not a problem

I wrote the above before I saw this... Thank you for the translation... In many ways I'm still a noob (but I'm learning).

[DavidR]

You need to follow through with what polonus suggested and post or at least check using HJT, e.g. are you or someone using Microsoft Student with Encarta as that is what the entry relates to as is seen by your old post that polonus dug up.

If you no longer have whatever it is installed on your system, then it is a remnant after removal, in which case as essexboy said, allowing SAS to delete it isn't a problem.

[polonus]

Hi Confused Computer User,

Yep, real malware fighters should use their intuition as well, especially where Confused Computer User is concerned  
Did you remove the links to that Encarta DVD programs?
The next step would be to remove this with regedit in Run: but we have a better option for you...
Fix it with HJT. Just provide us with a HJT 2.0  log of the recent machine, and we see what we can fix.
Attach the HJT logfile to your next posting and we come up with to fix so and so. We now have essexboys' blessings and to me that is as good as gold, and with DavidR to second this, there is no doubt about this procedure whatsoever,

pol

[Confused Computer User]

OK then well, it took a while  to remember how to use HJT. I did a second scan with SAS and it came out clean so I'm feeling relieved. Just in case here is the HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:23:51 PM, on 18/12/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\mobsync.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\ModPS2Key.exe
C:\Windows\system32\igfxsrvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Windows7FirewallControl\Windows7FirewallControl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\IObit\IObit Security 360\is360tray.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_CA&Sys=DTP&M=H5088
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_CA&Sys=DTP&M=H5088
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_CA&Sys=DTP&M=H5088
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_CA&Sys=DTP&M=H5088
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [ModPS2] ModPS2Key.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [auditadmin] C:\windows\temp\auditadmin.cmd
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [Windows7FirewallControl] C:\Program Files\Windows7FirewallControl\Windows7FirewallControl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [IObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O13 - Gopher Prefix:
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Windows7FirewallService - Sphinx Software - C:\Program Files\Windows7FirewallControl\Windows7FirewallService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6819 bytes

Thank you again for all the help and reassurance. I'm keeping my fingers crossed that the rest is ok.

[YoKenny]

I would remove IOBit as per:
IOBit Theft Conclusion
http://www.malwarebytes.org/forums/index.php?showtopic=33217

Close all browsers and sellect the following then Fix checked
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_CA&Sys=DTP&M=H5088
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_CA&Sys=DTP&M=H5088
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_CA&Sys=DTP&M=H5088
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_CA&Sys=DTP&M=H5088

Make the Start page Google.com as it loads faster with less advertisments by going to to IE then Tools then Internet Options then select Use current

[polonus]

Hi Confused Computer User,

Before we gonna fix with HJT, I like you to perform the following Clean Boot and then give me a fresh HJT log:

How to perform Clean Boot:

=================

1. Click Start, type MSCONFIG in the Search Bar and Press Enter to start the System Configuration Utility.

 

Note: Please click Continue if the "User Account Control" window pops up.

 

2. Click the Services tab, check the "Hide All Microsoft Services" box and click Disable All (if it is not gray).

3. Click the Startup tab, click Disable All and click OK.

4. Restart the computer and test the issue.

 

Note: Clean Boot is a troubleshooting step. If some programs have been disabled during the troubleshooting, we can enable them later. If there appears System Configuration Utility , check the box of "Don't show this message" and then click OK.

 

What’s the result?

 

If you would like to disable Welcome Center, you can try the following method:

 

1. Click Start, type Regedit and press Enter.

2. Navigate through HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.

3. Right click on WindowsWelcomeCenter and select Delete.

 

Restart the computer and test the result,

polonus

 

[Confused Computer User]

Hi Confused Computer User,

Before we gonna fix with HJT, I like you to perform the following Clean Boot and then give me a fresh HJT log:

How to perform Clean Boot:

=================

1. Click Start, type MSCONFIG in the Search Bar and Press Enter to start the System Configuration Utility.

 

Note: Please click Continue if the "User Account Control" window pops up.

 

2. Click the Services tab, check the "Hide All Microsoft Services" box and click Disable All (if it is not gray).

3. Click the Startup tab, click Disable All and click OK.

4. Restart the computer and test the issue.

I've done "Clean Boot"'s before but I'm lost on step 4. Do you mean that I test/scan again with SAS or do you mean I do a HJT log?

If you would like to disable Welcome Center, you can try the following method:

 

1. Click Start, type Regedit and press Enter.

2. Navigate through HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.

3. Right click on WindowsWelcomeCenter and select Delete.

As far as I know my welcome center is disabled. It doesn't start-up when I boot my computer. Is that what you meant?

Thank you again for the continued support and tolerance for my perpetual confusion.

[polonus]

Hi Confused Computer User,

Your done fine so far, I meant give us a new HJT logfile and we analyze that for eventual fixes,

pol